Korean Cybersecurity Framework 23 Sep 2009
advertisement
Korean Cybersecurity Framework 23 Sep 2009 Hyderabad, India 2009 ITU Regional Cybersecurity Forum for Asia‐Pacific Terrence Park KrCERT/CC Korea Internet & Security Agency Conten t Cybersecurity Constituency in Korea Code of Conduct in Korea Evolution of Cyber Incident National Cybersecurity Framework KrCERT/CC Activity 7.7 DDoS Cybersecurity Constituency in Korea National Cybersecurity Strategy Council Private Sector Public Sector Military (Korea Communications Commission) (National Intelligence Service) (MND) Population : 48 million, Internet User : 35 million Public Officer : 610K PC : 30 million, Server : 5.7 million Local Officer : 270K Broadband Subscriber(Jun 2009) : 16 million Public Org : 250K Officers IPv4 (Jun 2009) : 73 million PC : 1 million (inferred) VoIP Subscriber(May 2009) : 4 million Server : 15K (inferred) Ministry of Public Administration and Security Military Officer, Server & PC IPTV Subscriber(Jul 2009) : 0.5 million Private Corp. User Gov website Public Org Financial IPTV, VoIP Portal K I N X Internet Military Websites Code of Conduct Korea Relevant Act : (Korea Communications Commission) The Act on Promotion of Information & Communication Network Utilization and Information Protection, etc. Article 48‐ Article 48‐2 (Response, etc. to Infringement Accident) (1) The Chairman of Korea Communications Commission shall perform the task falling under each of the following subparagraphs to (1) The Chairman of Korea Communications Commission shall perform the task falling under each of the following subparagraphs to properly cope with any infringement accident and may, if necessary, get the Security Agency to perform the task, in whole or in part: properly cope with any infringement accident and may, if necessary, get the Security Agency to perform the task, in whole or in part: 1. The collection and dissemination of information on infringement accident; 1. The collection and dissemination of information on infringement accident; 2. The forecast and alert of infringement accident; 3. Emergency measures against infringement accident ; and 3. Emergency measures against infringement accident; and 4. Other measures prescribed by the Presidential Decree to cope with infringement accident. 4. Other measures prescribed by the Presidential Decree to cope with infringement accident. (2) The person falling under each of the following subparagraphs shall furnish information pertaining to infringement accident, including the statistics of infringement accident by type, the statistics of traffic volume in the relevant information and including the statistics of infringement accident by type, the statistics of traffic volume in the relevant information and communications networks and the statistics of uses by connection channel, to the Minister of Information and Communication or the Security Agency under the conditions as prescribed by the Ordinance of the Korea Communications Commission : the Security Agency under the conditions as prescribed by the Ordinance of the Korea Communications Commission : 1. The provider of major information and communications services; 1. The provider of major information and communications services; 2. The business operator of agglomerated information and communications facilities; and 2. The business operator of agglomerated information and communications facilities; and 3. Other person who is prescribed by the Presidential Decree as the operator of the information and communications networks. 3. Other person who is prescribed by the Presidential Decree as the operator of the information and communications networks. Article 48‐ Article 48‐3 (Report on Infringement Accident, etc.) (1) The person falling under each of the following subparagraphs shall, when any infringement accident occurs or he finds signs of shall, when any infringement accident occurs or he finds signs of any infringement accident, report without delay the occurrence of such infringement accident or his finding of such signs to The any infringement accident, report without delay the occurrence of such infringement accident or his finding of such signs to The Chairman of Communications Commission or the Security Agency. In this case, if any notice is served in accordance with Article 13 this case, if any notice is served in accordance with Article 13 ed (1) of the Act on the Protection of Information and Communications Infrastructure, such notice shall be deemed the report referr (1) of the Act on the Protection of Information and Communications Infrastructure, such notice shall be deemed the report referred to in the former part: 1. The provider of information and communications services; 2. The business operator of agglomerated information and communications facilities; and 2. The business operator of agglomerated information and communications facilities; and 3. Other person who is prescribed by the Presidential Decree as the operator of the information and communications networks. 3. Other person who is prescribed by the Presidential Decree as the operator of the information and communications networks. Evolution of Cyber Incident ▶1998 Security Threat Type 1999▶2003 BOT, BotNet Hacking, virus DDos DoS Internet Worm Spyware, Crimeware 1.25 Attack Tech nique Phishing Security Threat Paradigm 7.7 Increase of personal credential leakage Increase of online financial crime Organized Crime (financial) Distributed attack Independent attack Focused/smarter Embedded, automatic Integrated Integrated security management security management Counter measure 2004▶Present Point Security Solution Point Security Solution (IDS, F/W) (IDS, F/W) Distributed detection Distributed detection /analysis /analysis Security trend analysis Security trend analysis Social engineering Intelligent security system Intelligent security system Increase of industrial spy /internal breach Increase of cross‐border hacking activity Threat management framework Threat management framework Coop orgs/info sharing Coop orgs/info sharing Policy/managerial security Policy/managerial security DDoS by BOT(increase of malicious traffic) National Cybersecurity Framework National Cyber Crisis Framework President Presidential Directive, National Cybersecurity Regulation National Crisis Situation Center National Cybersecurity Strategy Council (Chair : Head of NIS) National Cybersecurity Planning Council nd (Chair : 2 Head of NIS) Recovery Support Joint Investigation *public : NIS, MND, KCC ‐ Prosecutor, Police join when needed *private : experts from industry/academic/research *public : NIS, MND, KCC *private : experts from industry/academic/research Ministry of National Defense National Intelligence Service Korea Communications Commission Defense Security Command KNCERT/CC KrCERT/CC Military Area/each unit Critical Infrastructures in Government/public sector Critical Infrastructures in private sector Cybersecurity Crisis Management Standard Manual (Oct 2008) National Cybersecurity Framework National Cyber Crisis Framework for Private Sector National Crisis Situation Center Korea Communications Commission Emergency Headquarter ③ info sharing National Intelligence Service, Ministry of Defense Network Security Team Public‐Private Joint Recovery Support Public‐Private Joint Investigation ④ response guide ⑤ countermeasure Critical Infrastructures Prosecutor, Police ② preliminary action & report ① report & info feed ISP/IDC, Security Vendors Corporations, Users Cybersecurity Crisis Response Manual for private sector (Jan 2009) National Cybersecurity Framework Crisis Warning Issue Framework Warning level National Crisis Situation Center Critical ‐ issuer : KCC report direction NIS Severe KCC MND ‐ issuer : KCC report direction General User Substantial President ‐ issuer : KrCERT/CC Network Admin ISP Report IDC Alert AV vendor Advisory ISAC MSSP Mobile Telco Critical Leader Infrastructure NCSC (NIS) report Head of KrCERT/CC ‐ issuer : KrCERT/CC … Response Leader … report MND Prosecutor/Police Moderate Report (2nd Eval) Info‐ Info‐share report KrCERT/CC Cause of Issue Leader report 1st Eval on Abnormality Normal Response Entire Internet Breakdown Emergency Headquarter Formed, Public‐ Public‐Private Joint Analysis Team Activated, Block Certain Services Mass Damage on Multiple ISPs and Critical Infrastructures Possible Control on Certain Service, Public Awareness (TV), Emergency duty system activated Partial Internet Service Breakdown Damage Status Report, Emergency duty system activated Increase of Incidents Public Awareness, and Possible Emergency duty system Damage activated ※ Common Response for All Levels ‐ Discuss on warning with NIS, MND and report to Blue House ‐ Cause Analysis, Spread Prevention, Recovery Support National Cybersecurity Framework National Cybersecurity Framework Local Cooperation Framework Private Sector: ISP, IDC, etc Public Sector: Government, Public Orgs National Crisis Situation Center Incident Escalation & Info Sharing Education support Internet Crime related Support Info‐sharing Info‐sharing Onsite Joint Investigation Incident Escalation for Serious Crime Technical Documents Hacking Analysis report ISP/IDC/SO KrCERT/CC Activity Detection Detection Analysis Analysis ISP/ESM Remote Agent Dissemination & Support Dissemination & Support Mail Malware FAX Info‐providing Org, Info‐providing Org, Hot Liners Hot Liners ISP/IDC, ISP/IDC, Mobile Provider, Mobile Provider, Security/AV Security/AV Vendors Vendors Traffic Monitoring, User Protection, Malicious Traffic Block, Develop Vaccine, Incident Reports IDS/Firewall Email feed Vulnerabi lity SMS Private Corp. Private Corp. (Portal, B2B, B2C) (Portal, B2B, B2C) Attack Port Block, Security Patch, Log Analysis, Damage Recovery General User General User Security Patch, Damage Recovery Broadcasting/ Broadcasting/ Media Media Public Awareness Web. S/W,H/W Incident Reports AntiVirus Messen ger User TRS Intelligence, Intelligence, Military, Military, Police Police Info‐sharing 7.7 DDoS What is different? Zombies do not act on real‐time basis, no herder needed Attack Crafted to act based on pre‐designed scenario Damages fixed drive on certain time C&C blocking does not work Response Clearing possible only when entire zombies are cured Limited countermeasure in network aspect 7.7 DDoS Attack & Response Flow 1st DDoS attack (1900) 2nd DDoS attack (1800) 3rd DDoS attack (1800) HDD attack (0000) DDoS attack ended (1800) Malware host info secured HDD damage info secured external HDD damage info secured 7/7 DDoS malware sample secured internal 7/9 7/8 DDoS malware sample secured Forward sample to AV vendor Block Malware Host Issue Warning ‘Substantial’ (0240) 7/10 7/11 7/12 Block HDD damage hosts Forward sample to AV vendor Block Malware Host Initiate Public Service for HDD damage Block HDD damage hosts Alert on HDD Destruction (2330) 7/15 Block HDD damage hosts Block Malware Host Warning level down to Moderate (1500) 7.7 DDoS Attack & Response Timeline Attack detected by DDoS Response System DDoS attack occurred (7 Jul) DDoS Attack Terminated Request & Secure Zombies (7 Jul) Attack Log & IP Secured (7 Jul) (KrCERT/CC, Auction, Naver) Analyze zombie (remote & onsite) Handling Entire zombies (15 Jul) Malware Analysis Attacker Confirmed there’s no C&C DDoS malware Collected (7 Jul) Thank you twpark@krcert.or.kr